Two independent companies, one brand. Each is the controller for the personal data it collects — not joint controllers within the meaning of Art. 26 GDPR.

• ins-pi GmbH — Im Zollhafen 18, Kranhaus 1, 50678 Köln, Germany · Cologne Local Court, HRB 85108 · VAT ID DE301373516 · controller for visitors in the EEA, United Kingdom, and Switzerland, and for customers and prospects of YouDesign Freelucy, YouDesign Command (UPMX), and Designer.
• ins-pi Inc. — 444 Brickell Avenue, Suite 700, Miami, FL 33131-2403, USA · EIN 61-2088005 · controller for visitors in the Americas, and for customers and prospects of YouDesign Blueprints, YouDesign Models, and YouDesign Processes.

This statement covers personal data collected through ins-pi.com and each company's business operations. It does not cover data that customers manage inside their own ServiceNow instance using the YouDesign Transformation Suite — those applications run 100% on the customer's instance and do not transmit data to either ins-pi entity.

A single mailbox handles privacy matters to either company: privacy@ins-pi.com. Mail is routed to the correct controller.

2. What we collect, why, and on what basis

Each controller processes the minimum personal data needed for the interaction in question:

• Contact data (name, company, work email, phone, message) submitted via forms, email, or events — to respond to inquiries, run demos, and deliver services you or your employer have requested. Legal basis: contract / pre-contract steps (Art. 6(1)(b)) or consent (Art. 6(1)(a)).
• Account and commercial data (company, billing contacts, purchase orders, support history) — to provide services and meet statutory accounting obligations. Legal basis: contract (Art. 6(1)(b)), legal obligation (Art. 6(1)(c)).
• Technical data (IP address, user agent, pages viewed) — to operate and secure the site. Legal basis: legitimate interest (Art. 6(1)(f)).
• Marketing preferences and consent records — to send communications only where opted in. Legal basis: consent (Art. 6(1)(a)).
• Recruiting data (CV, references), where applicable — to evaluate applications. Legal basis: pre-contract steps (Art. 6(1)(b)).

Sources. Personal data reaches the applicable controller from one of three places: (i) directly from you — via forms, email, events, applications, or contracts; (ii) automatically — through server logs, cookies (where consented), and security telemetry when you visit ins-pi.com; (iii) from third parties — business partners and event co-organisers (e.g. ServiceNow, referral partners), public sources (LinkedIn, company registries, press), and B2B enrichment providers used under a documented lawful basis. Neither company purchases consumer data or knowingly accepts data from sources that could not lawfully transfer it.

Neither company uses automated decision-making that produces legal or similarly significant effects (Art. 22 GDPR). Neither knowingly collects data from individuals under 16.

3. Sharing and international transfers

Personal data may be shared with a small, vetted set of service providers (hosting, CRM, email, helpdesk, analytics, business tooling) under signed Data Processing Agreements where required. Transfers between ins-pi GmbH and ins-pi Inc., and transfers to providers outside the EEA / UK / Switzerland, rely on a lawful mechanism — an adequacy decision, the EU–U.S. Data Privacy Framework, Standard Contractual Clauses, or the UK International Data Transfer Addendum — together with appropriate technical and organisational safeguards (TLS 1.2+, AES-256, access control on a need-to-know basis). A current list of sub-processors is available on request from privacy@ins-pi.com.

Breach notification. Where a personal-data breach affects our systems, the relevant ins-pi controller notifies the competent supervisory authority within 72 hours under GDPR Art. 33, and affected individuals without undue delay where the breach presents a high risk to their rights and freedoms (Art. 34).

4. Retention

Personal data is retained only for as long as necessary for the purposes described here, or as required by law. Indicative periods:

• Customer and commercial records — up to 10 years after end of the business relationship (statutory accounting retention, HGB §257 / IRS).
• Prospect and marketing data — up to 3 years from last meaningful interaction, unless consent is actively withdrawn or renewed.
• Website analytics (aggregated) — up to 26 months.
• Recruiting data — up to 6 months after a role is filled, unless you consent to a longer retention.

5. Your rights

Subject to applicable law, you may exercise the following rights free of charge against the controller responsible for your data:

• Access, rectification, and erasure (GDPR Art. 15–17).
• Restriction of and objection to processing (Art. 18, Art. 21), including the right to object to direct marketing at any time.
• Data portability (Art. 20).
• Withdrawal of consent at any time, without affecting the lawfulness of prior processing.
• The right to lodge a complaint with a supervisory authority — for ins-pi GmbH, typically the State Data Protection Commissioner for North Rhine-Westphalia (LDI NRW); for United Kingdom residents, the Information Commissioner's Office (ICO); for other EEA or Swiss residents, the data-protection authority of your country of residence.

To exercise any right, write to privacy@ins-pi.com. We respond within one month under GDPR (extendable by two months for complex requests).

Residents of US states with comprehensive privacy laws (California CCPA / CPRA, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Delaware, Montana, and others) may have additional rights — contact us at the address above and we will honour them to the extent the relevant law applies.

6. Cookies

ins-pi.com uses strictly necessary cookies to operate, and optional analytics or marketing cookies only with your consent. See the Cookies Policy for categories, durations, third-party embeds, email tracking, and how to change your consent at any time.

7. Contact

For any privacy matter: privacy@ins-pi.com, or by post to either company at the addresses in section 1 (also in the Imprint). At the current scale of each company, a statutory DPO is not mandatory; each company has designated a Compliance Lead who holds equivalent responsibilities.

This Privacy Statement may be updated from time to time. Material changes are announced on this page and, where appropriate, by direct notification. The effective date above reflects the most recent revision.